Whitelisting.

[Glenn Steen]

2009/9/11 Richard Mealing <richard at fastnet.co.uk>:
> Hello everyone,
>
>
>
> I have had some strangeness happening on our whitelists per domain. A few
> weeks ago I turned this on (from a global list) and it’s been working great.
> Unfortunately I’ve just seen this –
>
>
>
> Sep 10 09:15:53 mailfilter7 sm-mta-in[14176]: n8A8FpvA014176:
> from=<geoff.**@example1.co.uk>, size=92755, class=0, nrcpts=2,
> msgid=<200909100815.n8A8FpvA014176 at mailfilter7.**>, proto=ESMTP,
> daemon=IPv4, relay=adsl-** [**] (may be forged)
>
> Sep 10 09:15:53 mailfilter7 sm-mta-in[14176]: n8A8FpvA014176:
> to=<spares at example2.com>, delay=00:00:01, mailer=esmtp, pri=152755,
> stat=queued
>
> Sep 10 09:15:53 mailfilter7 sm-mta-in[14176]: n8A8FpvA014176:
> to=<joe.tavani at example1.co.uk>, delay=00:00:01, mailer=esmtp, pri=152755,
> stat=queued
>
> Sep 10 09:15:54 mailfilter7 MailScanner[83390]: Message n8A8FpvA014176 from
> ** (geoff.***@example1.co.uk) to example1.co.uk,example2.com is spam,
> SpamAssassin (not cached, score=6.561, required 3.5, autolearn=disabled,
> DYN_RDNS_AND_INLINE_IMAGE 0.00, EXTRA_MPART_TYPE 1.00, HTML_IMAGE_ONLY_12
> 2.25, HTML_IMAGE_RATIO_02 0.55, HTML_MESSAGE 0.00, MIME_BOUND_EQ_REL 0.84,
> MIME_QP_LONG_LINE 1.82, RDNS_DYNAMIC 0.10)
>
> Sep 10 09:15:57 mailfilter7 MailScanner[83390]: Spam Actions: message
> n8A8FpvA014176 actions are spam at example1.co.uk,forward
>
> Sep 10 09:15:58 mailfilter7 sendmail[14377]: n8A8FpvA014176:
> to=<spam at example1.co.uk>, delay=00:00:06, xdelay=00:00:00, mailer=esmtp,
> pri=242755, relay=mail.example1.co.uk. [****], dsn=2.0.0, stat=Sent
> (n8A8FvcY083874 Message accepted for delivery)
>
>
>
>
>
> My whitelist –
>
>
>
> grep example1 /**/customer_rulesets/spam.bydomain/whitelist/example1.co.uk
>
> *@example1.co.uk
>
>
>
> (I’ve replaced some things but you get the point..)
>
>
>
> Basically, most of the time this works great, some of the time I see stuff
> getting through, not being whitelisted etc. When I grep for whitelist in the
> maillog it shows as stopping and starting all the time. For example here is
> the period that mailscanner should have found the whitelist entry –
>
>
>
> Sep 11 09:15:39 mailfilter7 MailScanner[44048]: Closing down by-domain spam
> whitelist
>
> Sep 11 09:15:40 mailfilter7 MailScanner[40706]: Starting up by-domain spam
> whitelist, reading from /**/customer_rulesets/spam.bydomain/whitelist
>
> Sep 11 09:15:46 mailfilter7 MailScanner[66736]: Message n8B8Feab040736 from
> 15***** (craig.**@**.com) is whitelisted
>
> Sep 11 09:15:53 mailfilter7 MailScanner[40706]: Read whitelist for 1165
> domains
>
> Sep 11 09:16:13 mailfilter7 MailScanner[59788]: Message n8B8G8Oo041572 from
> *** (havant@**.co.uk) is whitelisted
>
> Sep 11 09:16:27 mailfilter7 MailScanner[36105]: Message n8B8GLKM042076 from
> *** (yourmessages@**.co.uk) is whitelisted
>
>
>
> I’ve been searching and this whitelist works usually for my entry, I can see
> other email addresses being white listed fine from the same domain. This
> leaves me to believe it’s something to do with the stopping and starting of
> the by-domain spam white list.?
>
> Does anyone else see this in their logs?
>
>
>
>
>
>
>
> Rich
>
IIUC what you are doing, this is actually expected;-).
Both the envelope from and From: message header (which are _not_ the
same thing) are easily forged. There simply are no good ways of
validating them in plain (E-)SMTP, so therefore you cannot under any
circumstances rely on that information for whitelisting. At least not
that info alone.
What you need do is use something that cannot be forged so easily,
like the sending servers IP address, or using some TLS measure, and
whitelist on that.
Just using the domain... will only give you grief. Regardless where
you whitelist (MTA, MS or SA). The only place where a small whitelist
bonus (negative score) would make some sense is likely in SA, and even
there it is best to rely on sending server, or similar.

Cheers
-- 
-- Glenn
email: glenn < dot > steen < at > gmail < dot > com
work: glenn < dot > steen < at > ap1 < dot > se